SB 1348,
as amended, DeSaulnier. begin deleteOnline data end deletebegin insertData end insertbrokers: sale of personalbegin delete information: notice.end deletebegin insert information.end insert
Existing law protects the privacy of personal information, including customer records, and requires a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, in order to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Existing law requires an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its commercial Internet Web site or online service to conspicuously post its privacy policy on its Internet Web site or online service and to comply with that policy.
Unless
prohibited by federal or state law, this bill would requirebegin delete an online dataend deletebegin insert a dataend insert broker, as defined, that sells or offers for sale to a 3rd party the personal information of any resident of California, to permit a subject individual, as defined, tobegin delete (1)end delete review his or her personalbegin delete information
and (2) correct his or her personalend delete information, as specified. The bill would requirebegin delete an online dataend deletebegin insert a dataend insert broker, unless prohibited by federal or state law, to conspicuously post an opt-out notice on its Internet Web site that would include specificbegin insert and easily understoodend insert instructions for permanently removing personal information from the online data broker’s database by making abegin delete writtenend delete demand requestingbegin delete to have the information permanently removed.end deletebegin insert that his
or her personal information not be shared with or sold to third parties.end insert The bill would requirebegin delete an online dataend deletebegin insert a dataend insert broker that receives abegin delete writtenend delete demand from a subject individual pursuant to these provisions, unless prohibited by federal or state law, tobegin delete remove the subject individual’s personal information from public display on the Internet within 10 days of delivery of the written demand, and to take specified additional steps to ensure that the information is not reposted.end deletebegin insert
cease sharing or selling that information with third parties as soon as is reasonably possible, and thereafter to only retain as much personal information as is reasonably necessary to comply with the subject individual’s demand.end insert
This bill would also make it unlawful forbegin delete an online dataend deletebegin insert a dataend insert broker to solicit or accept the payment of a fee or other consideration to review or permanently remove personal information from thebegin delete onlineend delete data broker’s database, and would authorize a subject individual to bring a civil action against any person in violation of these provisions.begin delete The bill’s provisions would apply only to information collected, assembled, or maintained by an online data broker on and after January 1, 2015, except under designated circumstances.end delete
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Chapter 22.3 (commencing with Section 22590)
2is added to Division 8 of the Business and Professions Code, to
3read:
4
The following definitions apply to this chapter:
P3 1(a) “Conspicuously post,” with respect to an opt-out notice,
2means to post through any of the following:
3(1) An Internet Web page on which the actual opt-out notice is
4posted if the Internet Web page is the homepage or first significant
5page after entering the Internet Web site.
6(2) An icon that hyperlinks to an Internet Web page on which
7the actual opt-out notice is posted, if the icon is located on the
8homepage or the first significant page after entering the Internet
9Web site, and if the icon contains the term “opt out” or
“opt-out.”
10The icon shall also use a color that contrasts with the background
11color of the Internet Web page or is otherwise distinguishable.
12(3) A text link that hyperlinks to an Internet Web page on which
13the actual opt-out notice is posted, if the text link is located on the
14homepage or first significant page after entering the Internet Web
15site, and if the text link does one of the following:
16(A) Includes the term “opt out” or “opt-out.”
17(B) Is written in capital letters equal to or greater in size than
18the surrounding text.
19(C) Is written in larger type than the surrounding text, or in
20contrasting type, font, or color to the surrounding text of the same
21 size,
or set off from the surrounding text of the same size by
22symbols or other marks that call attention to the language.
23(4) Any other functional hyperlink that is so displayed that a
24reasonable person would notice it and understand it tobegin insert be aend insert
25 hyperlink to the actual opt-out notice.
26(b) begin delete“Online data broker” end deletebegin insert(1)end insertbegin insert end insertbegin insert“Data broker” end insertmeans a
27commercial entity that collects, assembles, or maintains personal
28information concerning individuals residing in California who are
29not customers or employees of that entity,
for the purposes of
30selling or offering for salebegin insert, or other consideration,end insert the personal
31informationbegin delete over the Internetend delete to a third party.
32(2) “Data broker” does not include any of the following:
end insertbegin insert
33(A) A commercial entity that sells personal information to the
34subject individual or his or her representative.
35(B) A commercial entity engaging in the activities of a
36“consumer reporting agency” pursuant to the Fair Credit
37Reporting Act (15
U.S.C. Sec. 1681 et seq.)
38(C) A commercial entity engaging in the activities of a
39“consumer credit reporting agency” pursuant to the Consumer
P4 1Credit Reporting Agencies Act Title 1.6 (commencing with Section
21785.1) of Part 4 of Division 3 of the Civil Code.
3(D) A commercial entity selling or providing for sale personal
4information to other commercial or nonprofit entities or
5government agencies that will use the information for purposes
6permitted to be used or disclosed pursuant to any applicable
7provision of Title V of the Gramm-Leach-Bliley Act (15 U.S.C.
8Sec. 6801 et seq.), including purposes such as identity confirmation
9and fraud prevention.
10(c) “Personal information” means any information that identifies,
11relates to, describes, or is capable of being associated with, a
12particular
individual, including, but not limited to, his or her name,
13signature, social security number, physical characteristics or
14description, address, telephone number, passport number, driver’s
15license or state identification card number, insurance policy
16number, education, employment, employment history, bank account
17number, credit card number, debit card number, or any other
18financial information, medical information, or health insurance
19information. “Personal information” does not include information
20that is lawfully made available to the general public from federal,
21state, or local government records.
22(d) “Publicly post” or “publicly display” means to intentionally
23communicate or otherwise make available to the general public.
24(e)
end delete
25begin insert(d)end insert “Subject individual” means the person to whom personal
26information pertains.
27(f) “Written” means documentation in writing, and includes
28facsimile, telegraphic, and other forms of electronic
29communication.
Unless prohibited by federal or state law, an online data
31broker that sells or offers for sale the personal information of any
32resident of California to a third party, shall do both of the
33following:
34
(a) Permit
a subject individual to review his or her personal
35information that has been collected, assembled, or
maintained by
36the online data broker, either by submitting a written request or
37by means of an electronic search through a secure online system.
38(b) Permit a subject individual to correct his or her personal
39information that has been collected, assembled, or maintained by
P5 1the online data broker, either by submitting a written request or
2by correcting the information by means of a secure online system.
(a) (1) Unless prohibited by federal or state law, an
4online data broker shall conspicuously post an opt-out notice on
5its Internet Web site, which shall include specific instructions for
6permanently removing personal information from the online data
7broker’s database by making a written demand requesting to have
8the information removed.
9(2) If a subject individual makes a written demand to remove
10his or her personal information from an online data broker’s
11database pursuant
to this subdivision, the online data broker shall
12permanently remove the subject individual’s personal information
13from its database, in accordance with subdivision (b).
14(b) (1) Unless prohibited by federal or state law, an online data
15broker that receives a written demand from a subject individual
16pursuant to this section shall remove the subject individual’s
17personal information from public display on the Internet within
1810 days of delivery of the written demand, and shall ensure that
19this information is not reposted on the same Internet Web site, a
20subsidiary site, or any other Internet Web site owned, controlled,
21or maintained by the online data broker receiving the written
22demand.
23(2) After receiving a subject individual’s written demand, the
24online data broker shall not transfer the subject individual’s
25personal information to any other person, business, or association
26through any other medium.
27(3) Any additional information collected by an online data
28broker to confirm the identity of a subject individual who has made
29a written request to remove his or her personal information from
30a database pursuant to this chapter shall be deleted after the identity
31of the subject individual has been confirmed and shall not be used
32for any other purpose.
(a) It is unlawful for an online data broker to solicit or
34accept the payment of a fee or other consideration to review or
35permanently remove personal information from the online data
36broker’s database.
37(b) Each payment solicited or accepted in violation of this
38section constitutes a separate violation.
Unless prohibited by federal or state law, a data broker
2that sells or offers for sale the personal information of any resident
3of California to a third party shall do both of the following:
4(a) Permit a subject individual to review his or her personal
5information that has been collected, assembled, or maintained by
6the data broker by submitting an electronic demand through a
7secure online system.
8(b) (1) The data broker shall conspicuously post an opt-out
9notice on its Internet Web site, which shall include specific and
10easily understood instructions for the subject individual to make
11a demand on the Internet Web site that his or her personal
12information not be shared with or sold to third
parties.
13(2) If a subject individual makes a demand on the Internet Web
14site that his or her personal information not be shared with or sold
15to third parties, the data broker shall cease sharing or selling that
16information with third parties as soon as is reasonably possible,
17and in no event later than 10 days after receipt of the notice, and
18the data broker shall thereafter retain only as much personal
19information as is reasonably necessary to comply with the subject
20individual's demand.
21(3) After receiving a subject individual’s demand, the data
22broker shall not transfer the subject individual’s personal
23information to any other person, business, or association through
24any other medium.
25(4) Any information collected by a data broker to confirm the
26identity of a subject individual who has made a demand to remove
27his
or her personal information from a database pursuant to this
28chapter shall be deleted after the identity of the subject individual
29has been confirmed and shall not be used for any other purpose.
(a) It is unlawful for a data broker to solicit or accept
31the payment of a fee or other consideration to review or
32permanently remove personal information from the data broker’s
33database.
34(b) Each payment solicited or accepted in violation of this
35section constitutes a separate violation.
In addition to any other sanction, penalty, or remedy
38provided by law, a subject individual may bring a civil action in
39any court of competent jurisdiction against any person in violation
40of this chapter for damages in an amount equal to the greater of
P7 1one thousand dollars ($1,000) per violation or the actual damages
2suffered by the subject individual as a result, along with costs,
3reasonable attorney’s fees, and any other legal or equitable relief.
(a) This chapter shall only apply to personal
5information that is collected, assembled, or maintained by an online
6data broker after January 1, 2015.
7(b) Notwithstanding subdivision (a), this chapter shall apply to
8information collected, assembled, or maintained by an online data
9broker prior to January 1, 2015, if the data broker collected,
10assembled, or maintained the information in violation of any law
11or regulation.
O
95